Use Windows Authentication with OAuth 2.0

Question

I have set up an OWIN authorization server and several resource servers exposing ASP.NET Web APIs. I am serving up a JWT from the authorization server that is specific to each

Answer 1

As it turns out, this wasn't as hard as I expected. I created a standard web API controller off of an alternative endpoint (/token/windows/). This endpoint takes an HTTP POST with the client (resource) ID the Windows user is trying to connect to. I put the standard [Authorize] attribute on the action to ensure that identity is established, then I manually create a claims identity and return a JWT to the user. From that point on the user uses the standard token refresh process.

Edit: here's a sample below that represents what I implemented. Note that this app is configured in IIS to support Windows Authentication (in addition to anonymous authentication):

[RoutePrefix("token/windows")]
public class WindowsAuthenticationController : ApiController
{
    [Authorize]
    [HttpPost]
    [Route("{client_id}"]
    public async Task<IHttpActionResult> CreateTokenForWindowsIdentity(string client_id)
    {
        var user = User as ClaimsPrincipal;
        if (user == null) return Unauthorized(); //401
        var claims = //generate claims based on the User.Identity.Name...
        var identity = new ClaimsIdentity("JWT");
        identity.AddClaims(claims);

        //manually create JWT using whatever method you prefer,
        //I used something inspired from http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
    }
}